topic Hi. in Network Security

FirePOWER not blocking TOR (The Onion Router)

mauricioharley — Tue, 12 Mar 2019 12:50:28 GMT

Dear friends,

I have a system comprised of an ASA FirePOWER version 5.4.0.5 and a FireSIGHT 6.0.0 (running on top of VMware). I installed the latest patch (patch 4).

I configured an access policy including URL Filtering (it's correctly licensed). I can see many URLs being filtered out of my traffic. However, even with the "Tor_exit_node" inside the policy (please, check the attached screenshot), I get successful connections from the users - checking on users computers themselves.

So, what else must be done to get this working?

Thank you,

Mauricio Harley

Hi.

Aastha Bhardwaj — Mon, 14 Dec 2015 17:31:14 GMT

Hi.

The IP addresses of known TOR exit nodes are included in the Security Intelligence feed.
You may block connections to these IP addresses by setting the category Tor_exit_node in
the blacklist column of your security intelligence settings for your applied access
control policy. Setting Any as the configured zone will block connections to and from
these IP addresses.

Policies --> Access Control --> Edit a policy --> Security Intelligence tab.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Hi,

ed.sherratt — Fri, 18 Dec 2015 11:03:17 GMT

Hi,

One other thing to note the feeds are TOR exit nodes IPs not URLs, and not necessarily entry points.

I agree with the previous comment - the best option is the security intelligence block.

Regards,
Ed

Re: Hi,

rick11 — Wed, 25 Sep 2019 11:14:47 GMT

Hello,

we did setup in application blocking TOR and Tor directory services. still not working.

Is it necessary to add the security intelligence fields in detection or blocking mode?

Thank you!

Re: Hi,

Marvin Rhoads — Wed, 25 Sep 2019 13:10:50 GMT

@rick11 yes - add the SI section settings to block TOR effectively.

Policies > Access Control. Edit your ACP. On the Security Intelligence tab choose TOR Exit nodes from the network list and apply to Blacklist action. Save and deploy.

Re: Hi,

telesymbol — Wed, 31 Aug 2022 08:21:02 GMT

Is this solution still valid? i have tried it several times but not able to block TOR. We're also facing similar issue blocking Ultrasurf.

Thanks!

Re: Hi,

MSJ1 — Fri, 25 Aug 2023 15:17:03 GMT

@Marvin Rhoads But how should we allow tor traffic for a legitimate web service hosted after fw while in SI tor_ext_node is Blocked

Re: Hi,

Marvin Rhoads — Fri, 25 Aug 2023 16:16:19 GMT

@MSJ1 are you saying you have a legitimate web site that's being blocked since it's identified as a TOR exit node?

Generally speaking, we can manually whitelist specific addresses if the built-in categorization and SI update feed from Cisco Talos is incorrectly blocking an address.

If it's a site you host, then the incorrect categorization should be reported via the form at www.talosintelligence.com